A recent lawsuit filed in California challenges the use of an artificial intelligence (AI)-based transcription tool by two organizations. The complaint alleges that Sutter Health and Memorial Healthcare Services improperly used an AI platform to record patient-provider conversations, which were then transmitted to external servers for processing and transcription.

The plaintiffs claim that this practice violates the California Invasion of Privacy Act (CIPA), the California Confidentiality of Medical Information Act (CMIA), the California Unfair Competition Law, the Federal Wiretap Act, and constitutes an invasion of a patient’s privacy. Specifically, the lawsuit alleges that the health care providers used the Abridge AI, Inc. platform without establishing proper consent procedures.

Abridge AI’s platform offers an “ambient clinical documentation system” designed to generate billable, AI-generated clinical notes that integrate directly into electronic health records (EHR) workflows. During patient visits, microphone-enabled devices in the exam rooms capture conversations between providers and patients. These recordings are transmitted to external servers, where the files are processed and transcribed, and used by an AI model to generate draft clinical notes that providers can review and incorporate into the patient’s EHR. 

According to the complaint, patients were not informed that their conversations were being recorded, transmitted to a third party, and processed using AI technology.

Lesson for Providers

Although this case is in the early stages, it highlights several important considerations for health care providers implementing or currently using AI documentation tools: 

1. Execute Business Associate Agreements with AI Vendors. AI platforms that process protected health information (PHI) on behalf of health care providers must sign and abide by the terms of a Health Insurance Portability and Accountability Act (HIPAA) compliant Business Associate Agreement.
2. Ensure Appropriate Consent Procedures Are in Place. As with any use or disclosure of PHI, organizations should ensure that patients are fully informed about how their data is being collected, used, and disclosed. Consent forms and Notices of Privacy Practices should clearly describe the use of AI tools, including any recording or third-party processing of patient interactions.
3. Adopt Robust Policies and Procedures Governing AI Tools. From a risk management perspective, providers should develop and implement comprehensive policies addressing the use of AI tools before deployment. These policies serve as guardrails for employees on how to appropriately and consistently use the AI tools and where to go for guidance on how to address questions or concerns.
4. Train Staff and Communicate with Patients. Frontline staff, including clinicians, should receive training on use of the AI tools and how to communicate their use to patients. Providers should inform patients when AI tools are being used during visits and provide an opportunity to opt out. Patient consent or refusal should be appropriately documented.

If you would like assistance with reviewing your organization’s consent processes, policies, or training related to AI tools, please contact Gabe García or Natalie Lesnick.